Roundcube Webmail vulnerabilities
88 known vulnerabilities affecting roundcube/webmail.
Total CVEs
88
CISA KEV
11
actively exploited
Public exploits
12
Exploited in wild
12
Severity breakdown
CRITICAL7HIGH20MEDIUM54LOW7
Vulnerabilities
Page 4 of 5
CVE-2020-12625P4MEDIUMCVSS 6.1fixed in 1.4.42020-05-04
CVE-2020-12625 [MEDIUM] CWE-79 CVE-2020-12625: An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vul
An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.
nvd
CVE-2015-5381P4MEDIUMCVSS 6.1v1.12017-05-23
CVE-2015-5381 [MEDIUM] CWE-79 CVE-2015-5381: Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x be
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.
nvd
CVE-2021-44025P4MEDIUMCVSS 6.1fixed in 1.3.17≥ 1.4.0, < 1.4.122021-11-19
CVE-2021-44025 [MEDIUM] CWE-79 CVE-2021-44025: Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.
nvd
CVE-2020-13964P4MEDIUMCVSS 6.1fixed in 1.3.12≥ 1.4.0, < 1.4.52020-06-09
CVE-2020-13964 [MEDIUM] CWE-79 CVE-2020-13964: An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_ou
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.
nvd
CVE-2011-4078P4MEDIUMCVSS 5.0≤ 0.5.4v0.1+12 more2011-11-03
CVE-2011-4078 [MEDIUM] CVE-2011-4078: include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows r
include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows remote attackers to trigger a GET request for an arbitrary URL, and cause a denial of service (resource consumption and inbox outage), via a Subject header containing only a URL, a related issue to CVE-2011-3379.
nvd
CVE-2021-26925P4MEDIUMCVSS 5.4fixed in 1.4.112021-02-09
CVE-2021-26925 [MEDIUM] CWE-79 CVE-2021-26925: Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during H
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.
nvd
CVE-2020-18670P4MEDIUMCVSS 5.4v1.4.42021-06-24
CVE-2020-18670 [MEDIUM] CWE-79 CVE-2020-18670: Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /inst
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.
nvd
CVE-2015-8793P4MEDIUMCVSS 6.1≤ 1.0.5v1.1.0+1 more2016-01-29
CVE-2015-8793 [MEDIUM] CVE-2015-8793: Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter in a mail task to the default URL, a different vulnerability than CVE-2011-2937.
nvd
CVE-2016-4552P4MEDIUMCVSS 6.1v1.22016-12-20
CVE-2016-4552 [MEDIUM] CWE-79 CVE-2016-4552: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers t
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the href attribute in an area tag in an e-mail message.
nvd
CVE-2017-6820P4MEDIUMCVSS 6.1≤ 1.1.7v1.2.0+3 more2017-03-12
CVE-2017-6820 [MEDIUM] CWE-79 CVE-2017-6820: rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scri
rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.
nvd
CVE-2010-0464P4MEDIUMCVSS 5.0≤ 0.3.1v0.1+5 more2010-01-29
CVE-2010-0464 [MEDIUM] CWE-200 CVE-2010-0464: Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain na
Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.
nvd
CVE-2020-18671P4MEDIUMCVSS 5.4≤ 1.4.42021-06-24
CVE-2020-18671 [MEDIUM] CWE-79 CVE-2020-18671: Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/tes
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php.
nvd
CVE-2026-35541P4MEDIUMCVSS 4.2fixed in 1.5.14≥ 1.6.0, < 1.6.142026-04-03
CVE-2026-35541 [MEDIUM] CWE-843 CVE-2026-35541: An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison
An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password.
nvd
CVE-2026-25916P4MEDIUMCVSS 4.3fixed in 1.5.13≥ 1.6.0, < 1.6.132026-02-09
CVE-2026-25916 [MEDIUM] CWE-420 CVE-2026-25916: Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
nvd
CVE-2026-48849P4MEDIUMCVSS 4.4≥ 1.6.0, < 1.6.16≥ 1.7.0, < 1.7.12026-05-25
CVE-2026-48849 [MEDIUM] CWE-79 CVE-2026-48849: In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.
cvelistv5nvd
CVE-2015-1433P4MEDIUMCVSS 4.3≤ 1.0.42015-02-03
CVE-2015-1433 [MEDIUM] CWE-79 CVE-2015-1433: program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, w
program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email.
nvd
CVE-2026-48847P4LOWCVSS 3.7≥ 1.6.0, < 1.6.16≥ 1.7.0, < 1.7.12026-05-25
CVE-2026-48847 [LOW] CWE-669 CVE-2026-48847: Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary fi
Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.
cvelistv5nvd
CVE-2013-5645P4MEDIUMCVSS 4.3≤ 0.9.2v0.1+29 more2013-08-29
CVE-2013-5645 [MEDIUM] CWE-79 CVE-2013-5645: Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before 0.9.3 allow user-ass
Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before 0.9.3 allow user-assisted remote attackers to inject arbitrary web script or HTML via the body of a message visited in (1) new or (2) draft mode, related to compose.inc; and (3) might allow remote authenticated users to inject arbitrary web script or HTML via an HTML signat
nvd
CVE-2019-10740P4MEDIUMCVSS 4.3fixed in 1.3.102019-04-07
CVE-2019-10740 [MEDIUM] CWE-319 CVE-2019-10740: In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can
In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver repl
nvd
CVE-2011-2937P4MEDIUMCVSS 4.3≤ 0.5.3v0.1+11 more2011-09-21
CVE-2011-2937 [MEDIUM] CWE-79 CVE-2011-2937: Cross-site scripting (XSS) vulnerability in the UI messages functionality in Roundcube Webmail befor
Cross-site scripting (XSS) vulnerability in the UI messages functionality in Roundcube Webmail before 0.5.4 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.
nvd